News
Provincial

MacEwan financial controls 'terrible': accounting expert

Alberta post-secondary institutions may be forced into mandatory reporting of cyber crimes in the wake of MacEwan University being duped out of almost $12 million by fraudsters, the province's advanced education minister said Friday.

Edmonton’s second largest university revealed Thursday that $11.8 million was transferred into a bogus bank account located in Montreal, and later transferred to a Hong Kong bank, instead of being deposited into the account of one of its largest vendors.

MacEwan was only alerted to the attack when Clark Builders, the Edmonton-based construction company behind the university’s new $180-million centre for arts and culture, contacted staff after three payments failed to arrive in August.

That set off alarm bells at MacEwan.

Internal investigation

An internal investigation found staff in the accounts payable department had been tricked via email into changing the company's banking details by fraudsters.

The cyber criminals then created a domain that resembled that of Clark Builders and, using that domain, they successfully impersonated the company.

Three MacEwan staffers made three payments to the bogus account over a nine-day period in August with the university paying out $1.9 million, $22,000, and finally $9.9 million.

The majority of the money, $11.4 million, has been traced to bank accounts in Montreal and Hong Kong and the university is working with lawyers on civil action to recover the money.

The status of the remaining $400,000 is not known.

“What’s ironic with this whole situation is that MacEwan is one of our best clients who pays us on time, all of the time,” Clark Builders president and chief executive officer Paul Verhesen said.

“That’s what brought it to our attention.”

Clark Builders has been involved in some of MacEwan University's largest projects, including its service centre, student residence and the Robbins Health Learning Centre located at the corner of 104 Avenue and 109 Street.

“When you think about it, it really is unbelievable. These fraudsters are really good at what they do,” Verhesen said.

Reporting attacks

MacEwan reported the attack to Edmonton Police Service on Aug. 23 before contacting the Department of Advanced Education on Aug. 24 and the Office of the Auditor General on Aug. 25.

Advanced Education Minister Marlin Schmidt said while there is an expectation cyber attacks or online fraudulent activities are reported to the province, there is no written policy in place to compel institutions to do so.

That may change in the future once government receives a written report from MacEwan explaining what went wrong, Schmidt said.

MacEwan has been given a Sept. 15 deadline to report back to government. In the meantime, the university says it has conducted an audit of its business processes after discovering the fraud and put controls in place “to prevent further incidents.”

“It’s bewildering to me that somebody can just respond to an email like this and change the account without it having to go through, apparently, any kind of scrutiny,” Schmidt said.

“It’s frustrating and upsetting that this happened.”

This is not the first time this kind of attack has been carried out against an Alberta university.

In late 2016, the University of Lethbridge reported about $368,000 was lost in a similar attack. Earlier that same year, the University of Calgary paid hackers $20,000 in ransom following a cyber attack that devastated databases and crippled its email system.

An unsophisticated crime

An accounting expert said the MacEwan incident was far from a sophisticated attack, rather it was a failure of internal processes.

"It's just a breakdown of very, very basic internal controls," said Prof. Karim Jamal, chair of the accounting program at the University of Alberta.

"Whoever is processing the payment should not be changing people's bank accounts. You shouldn't just be able to send someone an email and say, 'Change so-and-so's bank account to this,' and they just change the bank account. That's pretty crazy."

MacEwan described the scam as a "phishing" attack, but Jamal said that makes the incident sound more complex than it was.

"(Staff) changed the bank account and suddenly your paycheque comes to me," he said. "That's the sophistication of this crime. That's it."

He said that it's unfair to pin the blame on low-level staff. Bank account changes are unusual, should raise red flags and require a senior-level manager's OK.

Cheques above a certain amount should not be issued by junior staffers, Jamal added.

"Some very basic things are not being done here," he said. "Blaming some low-level employee is wrong. They shouldn't even be doing any of this stuff.

"If they said low-level employees, that just means their system is terrible, for one thing," he continued.

"There's no way a low-level employee should be doing this. Even if it was factually correct, that just means the system is horrible. There's no way someone at that level should be processing a $10-million money transfer."

The auditor general's office said MacEwan met its obligation to report financial irregularities and once it completes its internal review, the office will decide on a course of action.